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Abstract 



Computer network security is becoming an increasingly important problemin a society that is becoming 
more and more dependent on informationsystems and computer technology. As Novell NetWare is the 
currenUeader in market share among network operating systems software, thistalk will focus on 
practical and cost-effective NetWare-specificapproaches to infomiation systems and computer security. 
This will bedone with a series of specific and practical real world experiences inthe area of information 
systems and computer security specific examplesthat, at the same time, illustrate general and 
fundamental informationsystems and computer security concepts. 

Introduction 

Computer networks are increasingly used to share infonnation andresources in order to reduce the costs 
associated with the duplicationand sharing of such information and resources. And computer 
securityhas become important in direct relationship to this increase in the useof information systems 
and computer technology. 

The area of information systems and computer security forms an everexpanding body of knowledge. A 
short paper can only touch the surfaceof this knowledge (see, for example, Forcht, 1994; Stallings, 
1995;Kaufman, et al, 1995). So, instead of a general overview of networksecurity, this paper should be 
considered a continuation of the papcrprescntcd last year (Snyder, 1994b) and will consist of a series 
ofspccific examples with wliich the author has personal experience andthat, at the same time, illustrate 
some fundamental and gcneralprinciples of network security. And, as Novell NetWare is the 
currenUeader in market share among network operating systems software,practical and cost-effective 
NetWare-specific approaches to infonnationsystcms and computer security will be featured (for general 
anddctailed information on NetWare 3.x, see, for example. Hey wood, ct al,l994). 

Where appropriate, a command-line approach, as opposed to a full-screenapproach, to network 
commands will be used since the execution of acollcction of command-line commands can be 
automated by placing ihccommands in a batch file and executing the batch file. 

And, since the goal is cost-cffcclivc and practical network sccurity,only readily available and low cost 
solutions will be addressed. 
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Background 

The purpose of a network is to share resources, typically files.printere. and infomiation in general. But. 
m order to balance sharingwith security, user accounts, identified with a user identification, oruserid. 
are created with password access in order to limit sharing. Forconvenience. users can be made members 
of groups so that entire groupsof users can be given certain rights by giving those rights to thegroup. 
although NetWare is not designed to make group managementparticuariy easy (Snyder. 1994c). A 
NetWare network (3.x will beassumed in this paper) is a client-server network in that the fileseiver is 
used to share files (and information) while clientworkstations access the (centralized) file servervia 
some networktopology (usually ethemet or token ring). In practice, a file serveris a high powered 
workstation with NoveU NetWare software installed.A printer server is another type of server, but. in 
practice, if thefile server is not being ftiUy utilized, the print ser\'er (and otherservere. such as SQL. 
modem, fax. etc.) can be installed on theworkstation comprising the file server. A local area network 
(LAN) mayconsist of a large number of interconnected file servers, often caUeda wide area network 
(WAN). The enUre process is sufficienUycomplicated. ever changing, and important enough that a 
full-umenetwork administrator and assistants are often hired to maintain thenetwork. 

Passwords 

A password is used to authenticate that the user is who the user claimsto be. There should be a 
one-to-one correspondence between users(people) and userids (user accounts). If not. consider the 
commonaccount STUDENT (with no password). If STUDENT has email access. thenSTUDENT can 
send a nasty message to the president. Who is responsible? Anyone could have used Uiat account. On the 
other hand, suppose thatuser LAYNE leaves his workstation unattended. A student uses theoppoitunity 
to use the workstation to send a nasty message to theprcsident. Who is responsible? In this case the 
person assigned toLAYNE is responsible. This is a simple example that illustrates theimpoitance of 
password protection and the example can be used to wamusers about giving their passwords to other 
mdividuals. User mustunderstand that account access is associated with responsibility forthe actions 
done by that account. 

For this and other reasons, password protecUon is an importantcomemone of network security. Given 
the proper password(s). a personcan get access to anything on the network (for which it is possible toget 
access; even the SUPERVISOR cannot access password informaUon inNetWare without physically 
disassembling the file server and dissectingthe hard drive). 

For example, user RSNYDER can login to file server HORNETS with the command 
login.exe HORNETS/RSNYDER 

whereupon the login.exe program requests a password to authenticate theuscr as RSNYDER If the 
person types the proper password, the nctworkassumes that the pcreon is. indeed, the person assigned to 
the RSNYDERaccount. 

But. and here is the nib. the password must move from the clicntworkstaUon to the file server over a 
wire. What if someone has accessto the wire and watches the messages go back and forth"? So 
longpassword protection. Hardware (and software) arc available for suchtasks, and the price is coming 
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down. Think of it this way. A bridge canbe used to connects two network (of similar or dissimilar 
topologies).Messages from one network that are destined for the other network arepassed through the 
bridge. In this sense, bridges are one way ofreducing traffic in a congested network (that is, split the 
network inhalf and connect the networks with a bridge). Although hardware bridgescan be purchased, a 
NetWare software bridge can be created from aworkstation by adding two network adapter cards to the 
workstation,connecting each of the adapter cards to one of the two networks to beconnected with the 
bridge, and installing the software to take messagcsfrom either side and place it on the other, as 
required. (Note: NetWaresoftware bridges are somewhat limited if certain non-Novell protocolsor 
software are to be used, e.g., TCP/IP, PC Support). In action, thebridge software takes messages from 
the adapter card, as required, intothe CPU (and memory), and then to the other adapter card, from the 
CPU(and memory). There is nothing to stop someone, given the propersoftwarc and/or programming 
techniques, from looking at the messages asthey are being transferred. 

Luckily, the NetWare login.exe program (NetWare 3.x and after) has abuilt-in encryption feature that 
uses the RSA algorithm that works, insimplified fonn, as follows. 

• The login.exe program on the client workstation requests a public key from the file server. 

• The file server generates a public and private key. The private key is kept at the file server. 

The public key is sent to theworkstation. Anyone listening (watching the wire) could obtain 
thepublic key. 

• The client workstation gets the password from the user and encrypts it with the public 

key. The encrypted password is sent tothe file server. Anyone listening (watching the wire) 
could obtainthe encrypted password, but decrypting the message would requircthe private 
key, which is very difficult to detenninc given onlythe public key. (This is the trapdoor part 
of the algorithm). 

• The file server decrypts the encrypted password with the private key. If the decrypted 

password matches the password stored at thefile server (and to which even the 
SUPERVISOR does not haveacccss), then the user is assumed to be valid, and login 
succeeds. 

This scenario ignores the problem of "spoofing" where a clicntworkstation attempts to look like a file 
server and fool the clientinto revealing infonnation (such as a critical password) to a fake fileserver. 

So, no problem. Just encrypt the passwords. But, NetWare allows thenctwork supervisor to issue the 
following command 

Set Unencrypted Passwords On 

This command woulo typically be placed in the autoexec.ncf file on thefile server (autoexec.ncf is 
similar to the ^'.utoexec.bat file in DOS inthat the autoexec.ncf file contains commands that are 
automaticallyexccuted when the file server is booted). But why? 

In one panicular case, the autlior, as Director of Academic CompuUngand academic network 
supervisor, received a request from the Regislrarto install a direct connect print box (and, as is common 
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practice, wasnot contacted before purchasing the box). It turns out that certainhardware devices do not 
have built-in support for NetWare encryptedpasswords. In Uiis case, the print box could be set up in 
RPRINTER orPSERVER mode. In RPRINTER mode, the printer acts as a remote printer,requiring one 
user license on the network (a 100 user license becomes.in effect, a 99 user license). In PSERVER 
mode, the printer acts as aprint server, not requiring a user license on the network. RPRINTERmode 
does not require that encrypted passwords be turned off, butPSERVER mode does. For these reasons, 
the author chose to set up theprinter in RPRIhfTER mode. On the other hand, the administrative 
networksupervisor (and again, as is common practice, there was littlecommunication between the 
administrative network supervisor and theacademic network supervisor) chose to set up the printer in 
thePresident's office, using the same type of print box, in PSERVER mode.Well, when the 
administrative network supervisor left the university(for reasons that were never revealed), the author 
was caller^ in tocheck the state of the administrative network. The userlist.exe programrevealed that a 
print server was active and the name of the printserver indicated that it was in the President's office. 
Immediatelywalking down the hall and looking at the box, the author asked the VicePresident for 
Business Affairs why they were not using the encryptedpassword feature on the network, since anyone 
watching messages on thewire would be able to determine passwords and gain access to 
importantinformation. The Vice President was somewhat indignant that I wouldsuggest such a 
possibility and the Directory of AdministrativeComputing expressed doubt as to whether the (former) 
administrativcnetwork supervisor would have allowed it. So, we walked back down thehall to the file 
sever console which was. as usual, running monitor.nlmbut not locked (always leave the file server 
console runningmonitor.nlm lock the console whenever the file server is leftunattended, especially if 
remote file server console access isenabled). With a few keystrokes I brought up the autoexec.ncf file 
(editing the autoexec.ncf file is one of the options on the monitor.nlmmenu) and. there and behold, was 
the statement 

Set Unencrypted Passwords On 

at the end of the file. And this is a statement that must be put intothe autoexec.ncf. It just does not get 
there by itself. To the best ofthe author's knowledge, the print box is still run as a PSERVER, but.on the 
other hand, the author is no longer asked to check the state ofthe administrative network. 

The moral ofthe story is twofold. First, the specific lesson is thatpassword access can be compromised 
by turning encrypted passwords off.Second, the general lesson is that subtle influences and 
circumstancescan undermine the security of Uie network, which needs constantevaluation in order to 
determine possible weaknesses. 

Bindery 

NetWare 3.x stores all of its information about users, groups.printers, and such in a data structure called 
a bindery. Think of thcbindcry as a database. Calls can be made to the bindery (using theappropriate 
NetWare API, application programmers interface, or SDK,softwarc development kit). NetWare 4.x uses 
a somewhat morcsophisticated data structure called NDS, NetWare Directory Services,that is supposed 
to provide bindery emulation for those file servcrsand applications that require it. We will limit 
discussion to theNetWare 3.x bindery. Information such as file and directory rights arestored in the 
network file system. The bindery and file system worktogethcr to define user rights. 
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A fundamental assumption of security is that any potential adversaryhas access to all public and 
published information. In the case of anetwork file server, what exactly is public information. Well, in 
termsof a file server, public information consists of any access] bleinfomiation in the bindery and file 
system. File system rights arefairly well understood by most network supervisors (read, 
read-write,shareable, etc., rights for users and/or groups). Bindery informationis not as weU understood 
by network supervisors and users in general.But there is a considerable amount of network information 
available tomost users from the bindery. 

The author has written a program that uses NetWare API calls to dumpall user accessible information in 
the bindery to a tree data structurethat can be printed or used for future comparison. The author 
intendsto implement a tree merge routine to allow comparison of the bindery atvarious points in time 
(the current program allows the binderyinformation to be collected before the comparison program is 
done).This serves a number of purposes. 

• The author can see exactly what is public knowledge (from an attacker point of view) and 

take appropriate action. 

• The author can track changes in the networic over time. Since the author has written a 

number of software programs that are used onihe network for classroom purposes, it is 
important to find outabout changes sooner rather than later. 

The author wrote a similar type of program, in BLISS, in 1982 to trackwhat was happening on a 
DEC-10 used in a Research & Development Center, Within weeks, the author knew more about what 
was happening as far asusers and computer usage, than the computer staff who had been therefor years. 
The same thing happens on a NetWare network. Within wccks,one begins to have a belter picture of the 
network than even thcnetwork staff (the author is now teaching full time and no longerDirector of 
Academic Computing, so things can happen without iheauthor^s knowledge). For example, the author 
can say to the networkadministrator, "I happened to notice that EVERYONE now has access tothe 
MALTHUS (PostScript laser printer) when before, just BUSSCH (thebusiness school) had access," (it's 
sometimes best not to reveal yoursource of information; it just makes the network 
administratomervous). To make matters worse, some institutions have policies wherea record must be 
kept of the users, groups, etc, that are on thenetwork. And this record is usually kept manually. But this 
informationis already available from the bindery. And getting it from the binderyis much less error 
prone than maintaining it by hand (Snyder, 1994a). In essence, maintaining a series of snapshots of the 
bindery allows amuch better picture of what is happening. And, as mentioned bcfore,this is critical in 
being able to react to subtle influences andcircumstanccs can undermine the security of the network. 

Since the bindery is critical to the nctv.wk, it is important to backup the bindery (the bindery files in 
NetWare 3.x are stored in thcSYSiSYSTEM directory as nct$obj.sys, nct$prop.sys, and 
net$val.sys).This can be done as follows. 

• Insure that there are no other users on the network. 

• Login as SUPERVISOR. 

• Disable login (from fconsolc.cxc or from the file server console). 
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I 
I 
I 
I 

• Copy the files nel$obj.old, nciSprop.old. and nei$vaI.old to the client workstation so that _ 
they are not lost should the fileserver irrevocably crash. fl 

At a later time, the command bindrest.exe. supplied with NetWare, canbe run as SUPERVISOR from a 
client workstation in order to restore thebindery. 



'Runbindfix.exe. supplied with NetWare, as SUPERVISOR from a client workstation. 
While fixing the bindery, the bindery is alsocompacted. Note any error messages and take 
appropriate action.The old bindery files are stored as net$obj.oId. net$prop.old. 
andnet$val.old. 

• If there were no problems, run bindfix.exe again. This essentially makes the old bindery files 

the updated bindery files. 

• Enable login. 



And there is always the problem that a GUEST, or other user, can stuffthe bindery by creaUng large 
amounts of bindery entries such that theperformance of the file server is compromised. 

Trade Secrets 



I 
I 
I 



I 



It may. on occasion, be sufficiently secure to just keep certaininformation secret. In the case of the 
academic file server, theReg;strar had a program called transman (transcript management) thatwas used 
to manage transcripts. As a practical consideration, all userson the network had access to the same 
menu system. In a submenu, theRegistrar could run the transman program. Now, even though users I 
neededsufficient rights to actuaUy run the program, the appearance on themenu system might alarm " 
certain administrative persons. A compromisewas to rename the menu option from transman to the less 
obvioustechnical manual. The few people in the Registrar using the program hadlitUe trouble adapUng I 
and there was less cause for alarm. (Of course,funds for a more sophisticated menu system would have " 
allowed thcproblem to be solved in another manner). 

Just remember, trade secrets do not work if the trade secret is publicknowledge. That is, if the 
knowledge is discernible from the bindery bya normal user (or GUEST), as would be the knowledge 
that the MALTHUSPostScript laser primer was available to EVERYONE. Yes, printer accesscan be a 
security problem, especiaUy if confidential information issent to a network printer. Just imagine a 
printer that "spoofs" theprinter that prints paychecks (or other confidential correspondence) 
bypretending to be that printer (and no one notices the difference). 

Login Script 

When a user uses the login.exe (or other similar) program to login to afile server, the system login 
script, stored as the text fileSYS:PUBLIC/net$log.dat, is run. One purpose of the login script is toset up 
initial drive mappings, set default printer queues, etc., thatarc specific to that network. UsuaUy 
maintained by the networkadministrator, some network administrators depend on this login scriptfor 
some form of security, .such as running certain programs at start-up(e.g., anti-virus software) or for 
auditing purposes. Of course, thiscan be mi.sused. The current login script at the author's universityruns 
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the anti-virus software if the user is STUDENT (intended for thehard drives in the lab). NaturaUy, the 
case of a STUDENT login to ateachers workstation and causing the virus software to run may 
havedisastrous side effects, not in finding viruses, but in possiblycorrupting the hard drive or crashing 
the workstation of the teacher.But a client can create their own login script as, for example, ihetext file 
C:\my$log.dat and bypass the system login script with Ihefollowing command. 

login.exe /S C:\my$log.dat HORNETS/RSNYDER 

So. do not depend on the system login script for security purposes. 

Another weakness (or feature) is that users can automate passwordentry. Why would someone want to 
automate password entry? To avoidtyping the password, of course. Automating password entry in 
NetWare isas easy as creating a file called C:\rsnyder.pwd that contains theplain text of the password 
and using the following command thatredirects the input from the file C:\rsnyder.pwd instead of from 
thekeyboard. 

login.exe /S C:\my$log.dat HORNETS/RSNYDER < C:\rsnyder.pwd 

The problem here is that anyone with physical access to the workstationhard drive can determine the 
network password for RSNYDER. 

In terms of avoiding typing, the author is no exception. In the courseof network software development, 
it may be necessary to logout andlogin to the network many times during the course of a day. And, 
usingthe OS/2 Warp operating system with Microsoft Windows and DOS, it iseasy to open many 
(private) network sessions concurrently. One partialsolution to the automated password entry problem, 
and the one used bythe author, is to dynamically create the password file on a memorydrive the first 
time after the computer is turned on that the passwordis needed (this is done via a batch file). (Note: 
There goes my tradesecrct since the scheme is now public knowledge). Thereafter, thepassword need 
not be typed to login to the network. But, when the powerto the workstation is turned off, the memory 
drive, and the passwordfile, disappear. For security purposes, however, physical access to 
theworkstation is restricted by always locking the office door wheneverthe workstation is left 
unattended and the workstation is powered downat the end of each working day. 

The system login script can also be avoided by attaching, as opposed tologin, to the file server. Many 
network file servers maintain a GUESTaccount whose primary purpose is to allow users to attach to a 
networkfile server in order to user a given printer or other resource. TheGUEST account is created, with 
no password, when NetWare is installed.Some network supcr\'isors may not even know of the existence 
of theGUEST account. One can attach to a file server with a GUEST accountwith the following 
command. 

Attach Admin/guest 

Again, no login script is executed, so that all drive mappings must bemade by the user. But a GUEST 
may have browsing rights to a substanticilamount of information. In particular, GUEST cim access the 
bindery as alogged in (or attached) object and can obtain a good deal ofinformation about tlie 
infrastructure of the file server (via binderyand other calls). The author can just imagine the chagrin of 
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theadministrative network supervisor the night that the author's entircnetworking class attached to the 
administrative file server as GUESTand browsed through the information available to GUEST (note: 
twoemployee's of administrative computing were taking the course, so itwas for demonstrative, and not 
devious, purposes). 



Conclusions 

This paper has attempted to use a series of specific examples toillustrate general security concepts. 
There has been so much that hasnot been covered, but the purpose of the paper is to highlight 
somepractical real world experiences in the area of information systems andcomputer security that can 
be addressed with low cost soIutions.HopefuIIy this objective has, in some measure, been 
accomplished. 
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One might consider either removing the GUEST account, if it is notnceded. or, at least, restricting 
GUEST access to certain resources byremoving the GUEST account from the group EVERYONE 
(which conveys asubstantial amount of read access on the file server). But, the GUESTaccount issue H 
does need to be addressed. ■ 

Loopholes n 

The security.exe program, provided with NetWare, can be used by theSUPERYISOR to attempt to find 
potential security loopholes such- asinsecure passwords (that is, tlie user used the userid as a » 
password).no passwords, supervisor equivalences, root directory privileges, noiogin script, and I 
excessive rights in a certain directory. Since theprogram generates a lot of output, a suggested way to 
run the programis from the (secure) SUPERVISOR client workstation as follows. 

security.exe > C:NSECURITY\95-04- 18.dat 

This command redirects the output of the security.exe program to thefile called 95-04-18.dat in 
subdirectory C:NSECURITY. The date is usedfor the filename so that a record can be kept of the 
security messages.Note: This program generates a lot of output and spurious messages. Onemight want 
a program to filter ihe output of security.exe into a morcmanageable fonn. 

In the case of the administrative file server, running the security.exeprogram revealed that less than half 
of the about ninety user accountshad passwords (supposedly new user accounts were being m 
created,manually. and had not been given passwords). Repeat. All user accountsshould have passwords | 
assigned to them. Use automated (and tradesecret) means for the initial password generation and require 
the userto change the initial password). 
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